CAUSE

In some cases, the Windows Server 2003-based DNS server incorrectly sets the Authoritative Answer (AA) bit when it forwards the query to the conditional forwarders. Some DNS Servers check the AA bit when they receive queries. If the AA bit is set, the query is rejected. This occurs because the AA bit should be set only .in responses for which the responding server is authoritative for a particular domain.

WORKAROUND

To work around the issue, use root hints or the default All other DNS domains option instead of using the conditional forwarders.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.